Considerations on COM(2021)421 - Authority for Anti-Money Laundering and Countering the Financing of Terrorism

Please note

This page contains a limited version of this dossier in the EU Monitor.

 
 
(1) Experience with the current Anti-Money Laundering and Countering the Financing of Terrorism (AML/CTF) framework, which heavily relies on the national implementation of AML/CFT measures, has disclosed weaknesses not only with regard to the efficient functioning of the AML/CFT framework of the Union but also with regards to integrating international recommendations. Those weaknesses lead to the emergence of new obstacles to the proper functioning of internal market both due to the risks within the internal market as well as external threats facing the internal market.

(2) Cross-border nature of crime and criminal proceeds endanger Union financial system efforts relating to prevention of money laundering and financing of terrorism. Those efforts have to be tackled at Union level through the creation of an Authority responsible for contributing to the implementation of harmonised rules. In addition, the Authority should pursue a harmonised approach to strengthen the Union’s existing AML/CFT preventive framework, and specifically AML supervision and cooperation between FIUs. That approach should reduce divergences in national legislation and supervisory practices and introduce structures that benefit the smooth functioning of the internal market in a determined manner and should, consequently, be based on Article 114 TFEU.

(3) Therefore, a European Authority for anti-money laundering and countering the financing of terrorism, the Anti-Money Laundering Authority (‘the Authority’) should be established. The creation of this new Authority is crucial to ensure efficient and adequate supervision of obliged entities having high inherent Money Laundering/Terrorist Financing (ML/TF) risk, strengthening common supervisory approaches for non-selected obliged entities and facilitating joint analyses and cooperation between Financial Investigation Units (FIUs).

(4) This new instrument is part of a comprehensive package aiming at strengthening the Union’s AML/CFT framework. Together, this instrument, Directive [please insert reference – proposal for 6th Anti-Money Laundering Directive], Regulation [please insert reference – proposal for a recast of Regulation (EU) 2015/847] and Regulation [please insert reference – proposal for the Anti-Money Laundering Regulation] will form the legal framework governing the AML/CFT requirements to be met by obliged entities and underpinning the Union’s AML/CFT institutional framework.

(5) To bring AML/CFT supervision to an efficient and uniform level across the Union, it is necessary to provide the Authority with the following powers: direct supervision of a certain number of selected obliged entities of the financial sector; monitoring, analysis and exchange of information concerning ML/TF risks affecting internal market; coordination and oversight of AML/CFT supervisors of the financial sector; coordination and oversight of AML/CFT supervisors of the non-financial sector, including self-regulatory bodies and the coordination and support of FIUs.

(6) Combining both direct and indirect supervisory competences over obliged entities, and also functioning as a support and cooperation mechanism for FIUs, is the most appropriate means of bringing about supervision and cooperation between FIUs at Union level. This should be achieved by creating an Authority which should combine independence and a high level of technical expertise and which should be established in line with the Joint Statement and Common Approach of the European Parliament, the Council of the European Union and the European Commission on decentralised agencies 32 .

(7) A seat agreement should be established between the Authority and the host Member State, stipulating the conditions of establishment of the seat and advantages conferred by the Member State on the Authority and its staff.

(8) The powers of the Authority should allow it to improve AML/CFT supervision in the Union in various ways. With respect to selected obliged entities, the Authority should ensure group-wide compliance with the requirements laid down in the AML/CFT framework and any other legally binding Union acts that impose AML/CFT-related obligations on financial institutions. Furthermore, the Authority should carry out periodic reviews to ensure that all financial supervisors have adequate resources and powers necessary for the performance of their tasks. It should facilitate the functioning of the AML supervisory colleges and contribute to convergence of supervisory practices and promotion of high supervisory standards. With respect to non-financial supervisors, including self-regulatory bodies where appropriate, the Authority should coordinate peer reviews of supervisory standards and practices and request non-financial supervisors to investigate possible breaches of AML/CFT requirements. In addition, the Authority should coordinate the conduct of joint analyses by FIUs and make available to FIUs IT and artificial intelligence services and tools for secure information sharing, including through hosting of FIU.net.

(9) With the objective to strengthen AML/CFT rules at Union level and to enhance their clarity while ensuring consistency with international standards and other legislation, it is necessary to establish the coordinating role of the Authority at Union level in relation to all types of obliged entities to assist national supervisors and promote supervisory convergence, in order to increase the efficiency of the implementation of AML/CFT measures, also in the non-financial sector. Consequently, the Authority should be mandated to prepare regulatory technical standards, to adopt guidelines, recommendations and opinions with the aim that where supervision remains at national level, the same supervisory practices and standards apply in principle to all comparable entities. The Authority should be entrusted, due to its highly specialised expertise, with the development of a supervisory methodology, in line with a risk-based approach. Certain aspects of the methodology, which can incorporate harmonised quantitative benchmarks, such as approaches for classifying the inherent risk profile of obliged entities should be detailed in directly applicable binding regulatory measures – regulatory or implementing technical standards. Other aspects, which require wider supervisory discretion, such as approaches to assessing residual risk profile and internal controls in the obliged entities should be covered by non-binding guidelines, recommendations and opinions of the Authority. The harmonised supervisory methodology should take due account of, and where appropriate, leverage the existing supervisory methodologies relating to other aspects of supervision of the financial sector obliged entities, especially where there is interaction between AML/CFT supervision and prudential supervision. Specifically, the supervisory methodology to be developed by the Authority should be complementary to guidelines and other instruments developed by the European Banking Authority detailing approaches of prudential supervisory authorities with respect to factoring ML/TF risks in prudential supervision, in order to ensure effective interaction between prudential and AML/CFT supervision.

(10) The Authority should be empowered to develop regulatory technical standards in order to complete the harmonised rulebook established in the [please insert references – proposal for 6th Anti-Money Laundering Directive, Anti-money laundering Regulation and proposal for a recast of Regulation (EU) 2015/847]. The Commission should endorse draft regulatory technical standards by means of delegated acts pursuant to Article 290 TFEU in order to give them binding legal effect. They should be subject to amendment only in very restricted and extraordinary circumstances, since the Authority is the actor in close contact with and knowing best the AML/CFT framework. To ensure a smooth and expeditious adoption process for those standards, the Commission’s decision to endorse draft regulatory technical standards should be subject to a time limit.

(11) The Commission should also be empowered to adopt implementing technical standards by means of implementing acts pursuant to Article 291 TFEU.

(12) Since there are no sufficiently effective arrangements to handle AML/CFT incidents involving cross-border aspects it is necessary to put in place an integrated AML/CFT supervisory system at Union level that ensures consistent high-quality application of the AML/CFT supervisory methodology and promotes efficient cooperation between all relevant competent authorities. For these reasons, the Authority and national AML/CFT supervisory authorities (‘supervisory authorities’) should constitute an AML/CFT supervisory system. This would also benefit supervisory authorities when facing specific challenges, for example vis-à-vis an enhanced AML/CFT risk or due to a lack of resources, as within that system mutual assistance should be possible on request. This could involve exchange and secondments of personnel, training activities and exchanges of best practices. Furthermore, the Commission could provide technical support to Member States under Regulation (EU) 2021/240 of the European Parliament and of the Council to promote reforms aimed at reinforcement of the fight against money laundering. 33

(13) Considering the important role of thematic reviews in AML/CFT supervision across the Union as they enable to identify and compare the level of exposure to risks and trends in relation to obliged entities under supervision, and that currently supervisors in different Member States do not benefit from these reviews, it is necessary that the Authority identifies national thematic reviews that have a similar scope and time-frame and ensures their coordination at the level of the Union. To avoid situations of possibly conflicting communications with supervised entities, the coordination role of the Authority should be limited to interaction with relevant supervisory authorities, and should not include any direct interaction with non-selected obliged entities. For the same reason, the Authority should explore the possibility of aligning or synchronising the timeframe of the national thematic reviews and facilitate any activities that the relevant supervisory authorities may wish to carry out jointly or similarly.

(14) The efficient usage of data leads to better monitoring and compliance of firms. Therefore, both direct and indirect supervision by the Authority and supervisory authorities of all obliged entities across the system should rely on expedient access to relevant data and information about the obliged entities themselves and the supervisory actions and measures taken towards them. To that end, the Authority should establish a central AML/CFT database with information collected from all supervisory authorities, and should make such information selectively available to any supervisory authority within the system. This data should also cover withdrawal of authorisation procedures, fit and proper assessments of shareholders and members of individual obliged entities as this will enable relevant authorities to duly consider possible shortcomings of specific entities and individuals that might have materialised in other Member States. The database should also include statistical information about supervisory and other public authorities involved in AML/CFT supervision. Such information would enable effective oversight by the Authority of the proper functioning and effectiveness of the AML/CFT supervisory system. The information from the database would enable the Authority to react in a timely manner to potential weaknesses and cases of non-compliance by non-selected obliged entities. Pursuant to Article 24 of Council Regulation (EU) 2017/1939 34 , the Authority will without undue delay report to the EPPO any criminal conduct in respect of which it could exercise its competence in accordance with Article 22 and Article 25(2) and (3) of that Regulation. Pursuant to Article 8 of Regulation 883/2013 35 , the Authority will transmit to OLAF without delay any information relating to possible cases of fraud, corruption or any other illegal activity affecting the financial interests of the Union.

(15) With the objective of ensuring a more effective and less fragmented protection of the Union’s financial framework, a limited number of the riskiest obliged entities should be directly supervised by the Authority. As ML/TF risks are not proportional to the size of the supervised entities, other criteria should be applied to identify the most risky entities. In particular, two categories should be considered: high-risk cross-border credit and financial institutions with activity in a significant number of Member States, selected periodically; and, in exceptional cases, any entity whose material breaches of applicable requirements are not sufficiently or in a timely manner addressed by its national supervisor. Those entities would fall under the category of ‘selected obliged entities’.

(16) The first category of credit and financial institutions, or groups of such institutions should be assessed every three years, based on a combination of objective criteria related to their cross-border presence and activity, and criteria related to their inherent ML/FT risk profile. Only large complex financial groups present in a number of Member States that could be more efficiently supervised at Union level should be included in the selection process. With respect to credit institutions, minimal cross-border presence for inclusion in the selection process should be based on the number of subsidiaries and branches in different Member States, because risky banking activities of significant volume require a local presence in a form of an establishment. Other financial sector entities may, in contrast, carry out activities that can be sufficiently risky from an ML/TF perspective by means of direct provision of services, for example via a network of agents, but may not have established subsidiaries or branches in a large number of Member States. Therefore, applying the same cross-border criteria, that is to say the one related to freedom of establishment, would result in scoping out large financial sector entities that can have a significant risk profile in a number of Member States, without being established there. Since the volume of activities via direct provision of services is generally smaller than the volume of activities carried out in a branch or a subsidiary, it is appropriate to consider only groups that are established in at least two Member States, but provide services directly or via a network of agents in at least eight more Member States.

(17) In order to ensure that only the riskiest obliged entities among those with significant cross-border operations are supervised directly at the level of the Union, the assessment of their inherent risk should be harmonised. Currently, there are various national approaches and supervisory authorities use distinct benchmarks for assessment and classification of inherent ML/TF risk of obliged entities. Using these national methodologies for selection of entities for direct supervision at Union level could lead to a different playing field among them. Therefore, the Authority should be empowered to develop regulatory technical standards laying out a harmonised methodology and benchmarks for categorising the inherent ML/TF risk as low, medium, substantial, or high. The methodology should be tailored to particular types of risks and therefore should follow different categories of obliged entities which are financial institutions in accordance with the Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing [OP please insert the next number for COM(2021)420]. That methodology should be sufficiently detailed and should establish specific quantitative and qualitative benchmarks considering at least the risk factors related to types of customers served, products and services offered, and geographical areas, including third country jurisdictions that obliged entities operate in or are related to. Specifically, each assessed obliged entity would have its inherent risk profile classified in each Member State where it operates in a manner consistent with the classification of any other obliged entity in the Union. The quantitative and qualitative benchmarks would allow such classification to be objective and not dependent on the discretion of a given supervisory authority in a Member State, or the discretion of the Authority.

(18) The final selection criterion should warrant a level playing field among directly supervised obliged entities, and to that end, no discretion should be left to the Authority or supervisory authorities in deciding on the list of obliged entities that should be subject to direct supervision. Therefore, where a given assessed obliged entity operates cross-border and falls within the high risk category in accordance with the harmonised methodology in a minimum number of Member States, it should be deemed a selected obliged entity. In case of credit institutions, the cross-border aspect should be addressed by including those credit institutions that are classified as high risk in at least four Member States and where in at least one Member State of those four the entity has been under supervisory or other public investigation for material breaches of AML/CFT requirements. In case of other financial institutions, the cross-border aspect should be addressed by including those financial institutions that are classified as high risk in at least one Member State where they are established and at least five other Member States where they operate by means of direct provision of services.

(19) To provide transparency and clarity to the relevant institutions, the Authority should publish a list of the selected obliged entities within one month of commencement of a selection round, after verifying the correspondence of information provided by the financial supervisors to the cross-border activities criteria and the inherent risk methodology. Therefore it is important that at the beginning of each selection period, the relevant financial supervisors provide the Authority with up-to-date statistical information to determine the list of financial institutions eligible for assessment in accordance with the assessment entry criteria relating to their cross-border operations. In this context, the financial supervisors should inform the Authority about the inherent risk category that a financial institution falls into in their jurisdictions in accordance with the methodology laid down in the regulatory technical standards. The Authority should then assume the tasks related to direct supervision five months after the publication of the list. That time is needed to appropriately prepare the transfer of supervisory tasks from national to Union level, including the formation of a joint supervisory team, and adopting any relevant working arrangements with the relevant financial supervisors.

(20) To ensure legal certainty and a level playing field among selected entities, any selected entity should remain under direct supervision of the Authority for at least three years, even if since the moment of selection and in the course of the three years it ceases to meet any of the cross-border activity or risk-related criteria due to e.g. potential consolidation, expansion or re-allocation of activities carried out via establishments or freedom to provide services. The Authority should also ensure that sufficient time is allocated to preparation by the obliged entities and their supervisory authorities to the transfer of supervision from national to Union level. Therefore, each subsequent selection should commence six months before the end-date of the three year period of supervision of the previously selected entities.

(21) The relevant actors involved in the application of the AML/CFT framework should cooperate with each other in accordance with the duty of sincere cooperation enshrined in the Treaties. In order to ensure that the AML supervisory system composed of the Authority and supervisory authorities functions as an integrated mechanism, and that jurisdiction-specific risks and local supervisory expertise are duly taken into account and well utilised, direct supervision of selected obliged entities should take place in the form of joint supervisory teams. These teams should be led by a staff member of the Authority coordinating all supervisory activities of the team. To ensure an adequate understanding of possible national specificities, the team leader (‘JST coordinator’) should be stationed in the Member State where a selected entity has its headquarter. The Authority should be in charge of establishment and composition of the joint supervisory team, and the local supervisors should ensure that a sufficient number of their staff members are appointed to the team, taking into account the risk profile of the selected entity in their jurisdiction.

(22) To ensure that the Authority can fulfil its supervisory obligations in an efficient manner with regard to selected obliged entities, the Authority should be able to obtain any internal documents and information necessary for the exercise of its tasks and for that purpose have general investigation powers afforded to all supervisory authorities under national administrative law.

(23) The Authority should have the power to require actions, internal to the entity, to enhance the compliance of obliged entities with the AML/CFT framework, including reinforcement of internal procedures and changes in the governance structure, going as far as removal of members of the management body, without prejudice to the powers of other relevant supervisory authorities of the same selected entity. Following relevant findings related to non-compliance or partial compliance with applicable requirements by the obliged entity, it should be able to impose specific measures or procedures for particular clients or categories of clients who pose high risks. On-site inspections should be a regular feature of such supervision. If a specific type of on-site inspection requires an authorisation by the national judicial authority, such authorisation should be applied for by the Authority.

(24) The Authority should have a full range of supervisory powers in relation to directly supervised entities in order to ensure compliance with applicable requirements. These powers should apply in cases where the selected entity does not meet its requirements, in cases where certain requirements are not likely to be met, as well as in cases where internal process and controls are not appropriate to ensure sound management of selected obliged entity’s ML/FT risks. The exercise of these powers could be done by means of binding decisions addressed to selected individual obliged entities.

(25) In addition to supervisory powers and in order to ensure compliance, in cases of material breaches of directly applicable requirements, the Authority should be able to impose administrative pecuniary sanctions on the selected obliged entities. Such sanctions should be proportionate and dissuasive, should have both punitive and deterrent effect, and should comply with the principle of ne bis in idem. The maximum amounts of pecuniary sanctions should be in line with those established by [please insert reference – 6th Anti-Money Laundering Directive] and available to all supervisory authorities across the Union. The basic amounts of these sanctions should be determined within the limits established by the AML/CFT framework, taking into account the nature of the requirements that have been breached. In order for the Authority to take aggravating or mitigating factors adequately into account, adjustments to the relevant basic amount should be possible. With the objective to achieve a timely change of the damaging business practice, the Executive Board of the Authority should be empowered to impose periodic penalty payments to compel the relevant legal or natural person to cease the relevant conduct. With the aim to heighten awareness of all obliged entities, by encouraging them to adopt business practices in line with the AML/CFT framework, the sanctions and penalties should be disclosed. The Court of Justice should have jurisdiction to review the legality of decisions adopted by the Authority, the Council and the Commission, in accordance with Article 263 TFEU, as well as for determining their non-contractual liability.

(26) In order for the Authority and financial supervisors to communicate swiftly and efficiently within AML/CFT supervisory system and to enable more coherent decision-making processes, it is necessary to have specific arrangements for communication within that system.

(27) For non-selected obliged entities, the AML/CFT supervision is to remain primarily at national level, with national competent authorities retaining full responsibility and accountability for direct supervision. The Authority should be granted adequate indirect supervisory powers to ensure that supervisory actions at national level are consistent and of a high quality across the Union. Therefore, it should carry out assessments of the state of supervisory convergence and publish reports with its findings. It should be empowered to issue guidelines and recommendations, addressed to both obliged entities as well as supervisory authorities, with a view to ensuring harmonised and high level supervisory practices across the Union.

(28) Certain obliged entities in the financial sector that do not meet the requirements for regular selection might still have a high inherent profile from the money laundering and terrorism financing perspective, or might take on, change or expand activities that entail high risk, not mitigated with a commensurate level of internal controls, thus leading to material breaches of its AML/CFT requirements. If there are indications of possible material breaches of applicable AML/CFT requirements, they may be a sign of gross negligence on part of the obliged entity. The supervisory authority should in most cases be able to adequately respond to any possible breaches and prevent the risks from materialising and leading to gross negligence of AML/CFT requirements. However, in certain cases a national level response might not be sufficient or timely, especially when there are indications that material breaches at the level of the entity have already occurred. In those cases, the Authority should be able to request the local supervisor to take specific measures to remedy the situation, including requesting to issue financial sanctions. To prevent money laundering and terrorism risks from materialising, the deadline for action at national level should be sufficiently short.

(29) The Authority should have the opportunity to request a transfer of supervisory tasks and powers relating to a specific obliged entity on its own initiative in case of inaction or failure to follow its instructions within the provided deadline. Since the transfer of tasks and powers over an obliged entity without the specific request of the financial supervisor to the Authority would require a discretionary decision on the part of the Authority, the Authority should address a specific request to that end to the Commission. In order for the Commission to be able to take a decision coherent with the framework of the tasks allocated to the Authority within the AML/CFT framework, the request of the Authority should enclose an appropriate justification, and should indicate a precise duration of the reallocation of tasks and powers towards the Authority. The timeframe for the reallocation of powers should correspond to the time the Authority requires to deal with the risks at entity level, and should not exceed three years. The Commission should adopt a decision transferring powers and tasks for supervising the entity to the Authority swiftly, and in any case within a month.

(30) In order to improve supervisory practices in the non-financial sector, the Authority should carry out peer reviews of supervisory authorities in the non-financial sector, including public authorities overseeing self-regulatory bodies (SRBs), and publish reports with its findings; those could be accompanied by guidelines or recommendations addressed to the relevant public authorities, including public authorities overseeing SRBs. SRBs should be able to participate in peer reviews on a case-by-case basis where they have expressed their willingness to participate.

(31) With the objective to increase the efficiency of the implementation of AML/CFT measures also in the non-financial sector, the Authority should also be able to investigate possible breaches or incorrect application of Union law by supervisory authorities in that sector, including public authorities overseeing SRBs.

(32) In order to analyse suspicious activity affecting multiple jurisdictions, the relevant FIUs that received linked reports should be able to efficiently conduct joint analyses of cases of common interest. To this end, the Authority should be able to propose, coordinate and support with all appropriate means the joint analyses of cross-border suspicious transactions or activities. The joint analyses should be triggered where there is a need to conduct just such joint analyses pursuant to the relevant provisions in Union law. Upon the explicit consent of the FIUs participating in the joint analyses, the staff of the Authority supporting the conduct of joint analyses should be able to receive and process all necessary data and information, including the data and information pertaining to the analysed cases.

(33) In order to improve the effectiveness of the joint analyses, the Authority should be able to initiate reviews of methods, procedures and conduct of the joint analyses, with the aim of determining the lessons learnt and of improving and promoting these analyses. The feedback on the joint analysis should enable the authority to issue conclusions and recommendations which would ultimately lead to the regular refinement and improvement of the methods and procedures for the conduct of joint analyses.

(34) In order to facilitate and improve cooperation between FIUs and the Authority, including for the purposes conducting joint analyses, the FIUs should be able to delegate one staff member per FIU to the Authority on a voluntary basis. The national FIU delegates should support the Authority’s staff in carrying out all the tasks relating to FIUs, including the conduct of joint analyses and the preparation of threat assessments and strategic analyses of money laundering and terrorist financing threats, risks and methods. Apart from the joint analyses, the Authority should encourage and facilitate various forms of mutual assistance between FIUs, including training and staff exchanges in order to improve capacity building and enable the exchange of knowledge and good practices amongst FIUs.

(35) The Authority should manage, host, and maintain FIU.net, the dedicated IT system allowing FIUs to cooperate and exchange information amongst each other and, where appropriate, with their counterparts from third countries and third parties. The Authority should, in cooperation with Member States, keep the system up-to-date. To this end, the Authority should ensure that at all times the most advanced available state-of-the-art technology is used for the development of the FIU.net, subject to a cost-benefit analysis.

(36) In order to establish consistent, efficient and effective supervisory and FIU-related practices and ensure common, uniform and coherent application of Union law, the Authority should be able to issue guidelines and recommendations addressed to all or category of obliged entities and all or a category of supervisory authorities and FIUs. The guidelines and recommendations could be issued pursuant to a specific empowerment in the applicable Union acts, or on the own initiative of the Authority, where there is a need to strengthen the AML/CFT framework at Union level.

(37) The establishment of a solid governance structure within the Authority is essential for ensuring effective exercise of the tasks granted to the Authority, and for an efficient and objective decision-making process. Due to the complexity and variety of the tasks conferred on the Authority in both the supervision and FIU areas, the decisions cannot be taken by a single governing body, as is often the case in decentralised agencies. Whereas certain types of decisions, such as decisions on adoption of common instruments, need to be taken by representatives of appropriate authorities or FIUs, and respect voting rules of the TFEU, certain other decisions, such as the decisions towards individual selected obliged entities, or individual authorities, require a smaller decision-making body, whose members should be subject to appropriate accountability arrangements. Therefore, the Authority should comprise a General Board, and an Executive Board composed of five full-time independent members and of the Chair of the Authority.

(38) In order to ensure the relevant expertise, the General Board should have two compositions. For all the decisions on the adoption of acts of general application such as the regulatory and implementing technical standards, guidelines, recommendations, and opinions relating to FIUs, it should be composed of the heads of FIUs of Member States (‘General Board in FIU composition’). For the same types of acts related to direct or indirect supervision of financial and non-financial obliged entities, it should be composed of the heads of AML/CFT supervisors which are public authorities (‘General Board in supervisory composition’). All parties represented in the General Board should make efforts to limit the turnover of their representatives, in order to ensure continuity of the Board's work. All parties should aim to achieve a balanced representation between men and women on the General Board.

(39) For a smooth decision making process, the tasks should be clearly divided: the General Board in FIU composition should decide on the relevant measures for FIUs, the General Board in supervisory composition should decide on delegated acts, guidelines and similar measures for obliged entities. The General Board in supervisory composition should also be able to provide its opinion and advice to the Executive Board on all draft decisions towards individual selected obliged entities proposed by the Joint Supervisory Teams. In absence of such opinion or advice, the decisions should be taken by the Executive Board. Whenever the Executive Board deviates from the advice provided by the General Board in supervisory composition in the final decision, it should explain the reasons thereof in writing.

(40) For the purposes of voting and taking decisions, each Member State should have one voting representative. Therefore, the heads of public authorities should appoint a permanent representative as the voting member of the General Board in supervisory composition. Alternatively, depending on the subject-matter of the decision or agenda of a given General board meeting, public authorities of a Member State may decide on an ad-hoc representative. The practical arrangements related to decision-making and voting by the General Board members in supervisory composition should be laid down in the Rules of Procedure of the General Board, to be developed by the Authority.

(41) The Chair of the Authority should chair the General Board meetings and have a right to vote when decisions are taken by simple majority. The Commission should be a non-voting member on the General Board. To establish good cooperation with other relevant institutions, the General Board should also be able to admit other non-voting observers, such as a representative of the Single Supervisory Mechanism and of each of the three European Supervisory Authorities (EBA, EIOPA and ESMA) for the General Board in its Supervisory Composition and Europol, the EPPO and Eurojust for the General Board in its FIU composition, where matters that fall under their respective mandates are discussed or decided upon. To allow a smooth decision making process, decisions of the General Board should be taken by a simple majority, except for decisions concerning draft regulatory and implementing technical standards, guidelines and recommendations which should be taken by a qualified majority of Member State representatives in accordance with voting rules of the TFEU.

(42) The governing body of the Authority should be the Executive Board composed of the Chair of the Authority and of five full time members, appointed by the General Board based on the shortlist by the Commission. With the aim of ensuring a speedy and efficient decision making process, the Executive Board should be in charge of planning and execution of all the tasks of the Authority except where specific decisions are explicitly allocated to the General Board. In order to ensure objectivity and appropriate rapidity of the decision-making process in the area of direct supervision of the selected obliged entities, the Executive Board should take all binding decisions addressed to selected obliged entities. In addition, together with a representative of the Commission the Executive Board should be collectively responsible for the administrative and budgetary decisions of the Authority. The consent of the Commission should be required when the Executive Board is taking decisions related to the budget administration, procurement, recruitment, and audit of the Authority, given that a portion of funding of the Authority will be provided from Union budget.

(43) To allow for swift decisions, all decisions of the Executive Board, including the decision where the Commission has a right to vote, should be taken by simple majority, with the Chair holding a casting vote in case of a tied vote. To ensure sound financial management of the Authority, the Commission’s consent should be required for decisions related to budget, administration and recruitment. The voting members of the Executive Board other than the Chair should be selected by the General Board, based on a short-list established by the Commission.

(44) To ensure the independent functioning of the Authority the five Members of the Executive Board and the Chair of the Authority should act independently and in the interest of the Union as a whole. They should behave, both during and after their term of office, with integrity and discretion as regards the acceptance of certain appointments or benefits. To avoid giving any impression that a Member of the Executive Board might use its position as a Member of the Executive Board of the Authority to get a high-ranking appointment in the private sector after his term of office and to prevent any post-public employment conflicts of interests, a cooling-off period for the five Members of the Executive Board, including the Chair of the Authority, should be introduced.

(45) The Chair of the Authority should be appointed based on objective criteria by the Council after approval by the European Parliament. He or she should represent the Authority externally and should report on the execution of Authority’s tasks.

(46) The Executive Director of the Authority should be appointed by the Executive Board based on a shortlist from the Commission. The Executive Director of the Authority should be a senior administrative official of the Authority, in charge of the day-to-day management of the Authority, and responsible for budget administration, procurement, and recruitment and staffing.

(47) To protect effectively the rights of parties concerned, for reasons of procedural economy and to reduce the burden on the Court of Justice of the European Union, the Authority should provide natural and legal persons with the possibility to request a review of decisions taken under the powers related to direct supervision and conferred on the Authority by this Regulation and addressed to them, or which are of direct and individual concern to them. The independence and objectivity of the decisions taken by the Administrative Board of Review should be, among others, ensured by its composition of five independent and suitably qualified persons. Decisions of the Administrative Board of Review should be in turn appealable before the Court of Justice of the European Union.

(48) To guarantee the proper functioning of the Authority, funding should be provided by a combination of fees levied on certain obliged entities and a contribution from the Union budget, depending on the tasks and functions. The budget of the Authority should be part of the Union budget, confirmed by the Budgetary Authority on the basis of a proposal from the Commission. The Authority should submit to the Commission a draft budget and an internal financial regulation for approval.

(49) To ensure that the Authority can also fulfil its tasks as direct and indirect supervisor of obliged entities, an adequate mechanism for the determination and the collection of the fees should be introduced. As regards the fees levied on selected obliged entities and certain non-selected obliged entities, the methodology for their calculation and the process of collection of fees should be developed in a delegated act of the Commission. The methodology should be based on the risk of the directly and indirectly supervised entities as well as their turnover or revenue.

(50) The rules on establishment and implementation of the budget of the Authority, as well as the presentation of annual accounts of the Authority, should follow the provisions of Commission Delegated Regulation (EU) 2019/715 36 as regards cooperation with the European Public Prosecutor’s Office and the effectiveness of the European Anti-Fraud Office investigations.

(51) In order to prevent and effectively combat internal fraud, corruption or any other illegal activity within the Authority, it should be subject to Regulation (EU, Euratom) No 883/2013as regards cooperation with the European Public Prosecutor’s Office and the effectiveness of the European Anti-Fraud Office investigations. The Authority should accede to Interinstitutional Agreement concerning internal investigations by OLAF, which should be able, to carry out on-the-spot checks within the area of its competence.

(52) As stated in the Cybersecurity Strategy for the European Union 37 , it is essential to ensure a high level of cyber resilience in all EU institutions, bodies and agencies due to the increasingly hostile threat environment. The Executive Director must thus ensure appropriate IT risk management, a strong internal IT governance and sufficient IT security funding. The Authority shall work closely with the Computer Emergency Response Team of the European Union Institutions, Bodies and Agencies and report major incidents with 24 hours to CERT EU as well as to the Commission.

(53) The Authority should be accountable to both the European Parliament and the Council for the execution of its tasks and implementation of this Regulation. The Chair of the Authority should present a respective report to the European Parliament, the Council and the Commission on a yearly basis.

(54) The staff of the Authority should be composed of temporary agents, contractual agents and seconded national experts as well as national delegates placed at the disposition of the Authority by Union FIUs. The Authority, in agreement with the Commission, should adopt the relevant implementing measures in accordance with the arrangements provided for in Article 110 of the Staff Regulations 38 .

(55) To ensure that confidential information is treated accordingly, all members of the governing bodies of the Authority, all staff of the Authority, including seconded staff and staff placed at the disposition of the Authority, as well as any persons carrying out tasks for the Authority on a contractual basis, should be subject to obligation of professional secrecy, including any confidentiality restrictions and obligations stemming from the relevant provisions of Union legislation, and related to the specific tasks of the Authority. However, confidentiality and professional secrecy obligations should not prevent the Authority from cooperating with, exchanging or disclosing information to other relevant national or Union authorities or bodies, where it is necessary for the performance of their respective tasks and where such cooperation and exchange of information obligations are envisaged in Union law.

(56) Without prejudice to the confidentiality obligations that apply to the Authority’s staff and representatives in accordance with the relevant provisions in Union law, the Authority should be subject to Regulation (EC) No 1049/2001 of the European Parliament and of the Council. 39 In line with the confidentiality and professional secrecy restrictions related to supervisory and FIU support and coordination tasks of the Authority, such access should not be extended to confidential information handled by the staff of the Authority. In particular, any operational data or information related to such operational data of the Authority and of the EU FIUs that is in the possession of the Authority due to carrying out the tasks and activities related to support and coordination of FIUs should be deemed as confidential. With regard to supervisory tasks, access to information or data of the Authority, the financial supervisors, or the obliged entities obtained in the process of carrying out the tasks and activities related to direct supervision should in principle also be treated as confidential and not subject to any disclosure. However, confidential information listed that relates to a supervisory procedure can be fully or partially disclosed to the obliged entities which are parties to such supervisory procedure, subject to the legitimate interest of legal and natural persons other than the relevant party, in the protection of their business secrets.

(57) Without prejudice to any specific language arrangements that could be adopted within AML supervisory system and with selected obliged entities, Council Regulation No 1 40 should apply to the Authority and any translation services which may be required for the functioning of the Authority should be provided by the Translation Centre for the Bodies of the European Union.

(58) Without prejudice to the obligations of the Member States and their authorities, the processing of personal data on the basis of this Regulation for the purposes of the prevention of money laundering and terrorist financing should be considered necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Authority under Article 5 of Regulation (EU) 2018/1725 of the European Parliament and of the Council 41 and Article 6 of Regulation 2016/679of the European Parliament and of the Council 42 . When developing any instruments or taking any decisions that may have a significant impact on the protection of personal data, the Authority should closely cooperate, where relevant, with the European Data Protection Board established by Regulation (EU) 2016/679 and with the European Data Protection Supervisor established by Regulation (EU) 2018/1725 to avoid duplication.

(59) The Authority should establish cooperative relations with the relevant Union agencies and bodies, including Europol, Eurojust, the EPPO, and the European Supervisory Authorities, namely the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority. To improve cross-sectoral supervision and a better cooperation between prudential and AML/CFT supervisors the Authority should also establish cooperative relations with the authorities competent for prudential supervision of financial sector obliged entities, including the European Central Bank with regard to matters relating to the tasks conferred on it by Council Regulation (EU) No 1024/2013 43 , as well as with resolution authorities as defined in Article 3 of Directive (EU) 2014/59/EU of the European Parliament and the Council 44 and designated Deposit Guarantee Schemes authorities as defined in Article 2 (1), point 18 of Directive 2014/49/EU of the European Parliament and the Council 45 . To this end, the Authority should be able to conclude agreements or memoranda of understanding with such bodies, including with regard to any information exchange which is necessary for the fulfilment of the respective tasks of the Authority and these bodies. The Authority should make its best efforts to share information with such bodies on their request, within the limits posed by legal constraints, including data protection legislation. In addition, the Authority should enable effective information exchange between all financial supervisors in the AML/CFT supervisory system and the aforementioned authorities, such cooperation and information exchanges should take place in a structured and efficient way.

(60) Public-private partnerships (‘PPPs’) have become increasingly important cooperation and information exchange fora between FIUs, various national supervisory and law enforcement authorities and obliged entities in some Member States. Where the Authority would act as direct supervisor of selected obliged entities which are part of a PPP in any Member State, it could be beneficial for the Authority to also participate therein, on conditions determined by the relevant national public authority or authorities that set up such PPP, and with their explicit agreement.

(61) Considering that cooperation between supervisory, administrative and law enforcement authorities is crucial for successful combatting of money laundering and terrorism financing, and certain Union authorities and bodies have specific tasks or mandates in that area, the Authority should make sure that it is able to cooperate with such authorities and bodies, in particular OLAF, Europol, Eurojust, and the EPPO. If there is a need to establish specific working arrangements or conclude Memoranda of Understanding between the Authority and these bodies and authorities, the Authority should be able to do so. The arrangement should be of strategic and technical nature, should not imply sharing of any confidential or operational information in possession of the Authority and should account for tasks already carried out by the other Union institutions, bodies, offices or agencies as regards the prevention of and fight against money laundering and terrorist financing.

(62) Since both predicate offenses as well as the crime of money laundering itself often are of global nature, and given that the Union obliged entities also operate with and in third countries, effective cooperation with all the relevant third country authorities in the areas of both supervision and functioning of FIUs are crucial for strengthening the Union AML/CFT framework. Given the Authority’s unique combination of direct and indirect supervision and FIU cooperation-related tasks and powers, it should be able to take an active role in such external cooperation arrangements. Specifically, the Authority should be empowered to develop contacts and enter into administrative arrangements with authorities in third countries that have regulatory, supervisory and FIU-related competences. The Authority’s role could be particularly beneficial in cases where the interaction of several Union public authorities and FIUs with third country authorities concerns matters within the scope of the Authority’s tasks. In such cases, the Authority should have a leading role in facilitating this interaction.

(63) Since the Authority will have a full range of powers and tasks related to direct and indirect supervision and oversight of all obliged entities, it is necessary that these powers remain consolidated within one Union body, and do not give rise to conflicting competences with other Union bodies. Therefore, the European Banking Authority should not retain its tasks and powers related to anti-money laundering and countering the financing of terrorism, and the respective articles in Regulation (EU) No 1093/2010 of the European Parliament and of the Council 46 should be deleted. The resources allocated to the European Banking Authority for the fulfilment of those tasks should be transferred to the Authority. Considering that all three European Supervisory Authorities (EBA, ESMA and EIOPA) will be cooperating with the Authority, and may attend the meetings of the General Board in supervisory composition as observers, the same possibility should be afforded to the Authority in respect of meetings of the Board of Supervisors of the European Supervisory Authorities. In cases where the respective Boards of Supervisors discuss or decide on matters that are relevant for the execution of the Authority’s tasks and powers, the Authority should be able to participate in their meetings as an observer. The articles on the compositions of the Board of Supervisors in Regulation (EU) No 1093/2010, Regulation (EU) 1094/2010 of the European Parliament and the Council 47 , and Regulation (EU) 1095/2010 of the European Parliament and the Council 48 should therefore be amended accordingly.

(64) The Authority should be fully operation by the beginning of 2024. This should give the Authority sufficient time to establish its headquarter in the Member State as determined by this Regulation.

(65) The European Data Protection Supervisor has been consulted in accordance with Article 42 of Regulation (EU) 2018/1725 [and delivered an opinion on ...].